In chapter 8 we look at Controls specifically designed for the Information Systems Function.
COBIT
(What is this?) IT resources: Control Objectives for Information and Related Technology was developed to provide guidance on the best practices for the management of information technology.
Data: Objects in their widest sense (i.e., external and internal), structures and nonstructured, graphics, sound, etc.
Application systems: are understood to be the sum of manual and programmed procedures reflecting business processes.
Facilities: are all resources used to house and support information resources.
People: include staff skills; awareness; and productivity to plan, organize, acquire, deliver, support, and monitor information systems and services.
COBIT's definition of Control: The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Information Systems Function (ISF):
Define, what is this? It is the department or function that develops and operates an organization's information system. The function is composed of people, procedures, and equipment, and it is typically called the information services department, IT department, or data processing department.
Types of Organizational structures for ISF:
Centralized: places the information systems function under the line authority of the vice president of information systems (CIO)
Decentralized: assigns personnel to non-central (e.g., departments) organizational units.
Functional: assigns personnel to skills-based units (e.g., programming, systems analysis). Used by both decentralized and centralized organizations.
Matrix: assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader.
Project: establishes permanent systems development structures such as "Financial Systems Development."
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).
COBIT Control Process Domains:
Planning and Organization (within this domain are processes to develop the strategy and tactics for realizing an organization's information technology strategy).
Process#1: Establish strategic vision for IT.
Process#2: Develop tactics to plan, communicate, and manage realization of the strategic vision.
Acquisition and Development (processes within this domain are designed to identify, develop or acquire, and implemetn IT solutions, and integrate them into the business process.
Process#3: Identify automated solutions.
Process#4: Develop and acquire IT solutions.
Process#5: Integrate IT solutions into operational processes.
Process#6: Manage changes to existing IT systems.- To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure must be manged via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures.
Delivery and Support (failure to implement these processes can lead to erroneous recordkeeping, erroneous management decisions and statutory sanctions)
Process#7: Deliver required IT services.- The process includes activities related to the delivery of IT services that were planned by the IT processes in the planning and organization domain, and developed and implemented by the IT processes in teh acquisition and implemeentation domain.
Process#8: Ensure security and continuous service.- Provide a secure operating environment for IT and plan for increases in required capacity and losses of usable resources.
Process#9: Provide support services.- Mangement should identify the training needs of all personnel and see that timely training sessions are conducted.
Monitoring
Process#10: Monitor operations.- Management establishes a system for defining performance indicators, gathering data about all processes, and generating performance reports.
Segregation of Duties:
Definition of Segregation of Duties: Dividing responsibilities for different portions of a transaction among several different people or departments.
Segregating Events Processing:
Segregation of duties consists of separating the four basic functions of event processing:
1. Authorizing events: approve phases of event processing
2. Executing events: physically move resources; complete source documents
3. Recording events: record events in books of original entry; post event summaries to the GL
4. Safeguarding resources: physically protect resources; maintain accountability of physical resources
Segregating Information Systems Functions:
-The ISF function normally acts in a service capacity for other operating units. Therefore, it should be limited to carrying out function 3 (recording events and posting event summaries).
-Within the ISF, we segregate duties to control unauthorized use of and changes to the computer and its data: Data librarian – grants access to stored data and programs to authorized personnel only Security officer – assigns passwords, monitors employees’ network access, grants security clearance, etc. Additional information on Security Officer- is responsible for the overall operation of the various security systems and the security software in general. IT steering committee – coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan
Others Examples of Segregation of Duties:
Control Clerk- "Gate Keeper"- Back a long time ago of complete batch processing, control clerks logged or scheduled input and output and maintained error and correction logs. They also controlled flow of bactches through data entry and editing, monitored processing, and controlled distribution of reports and other output. In many large companies this segregation is obsolete due to the advancement of technology and use of automation.
Computer Operator- are responsible for scheduling processing jobs, running or monitoring, scheduled production jobs.
System Programmer- responsible for installing, supporting, monitoring, and maintaining the operating system (and often the related hardware if that function is not performed by a separate hardware technician).
Personnel control Plans:
Key Control Issues:
Selecting and Hiring Plans - Hiring qualified personnel including individuals with pertinent technical backgrounds.
Retention Plans - Retaining is typically a harder task than actually hiring qualified individuals, but to combat this difficulty provide challenging work and continuing opportunities for advancement.
Personnel Development Plans - Training and Development of qualified personnel.
Personnel Management Plans - This includes 5 subplans:
Personnel Planning Control Plans - such as skills, turnover, and filling positions
Job Description Control Plans - such as maintaining job descriptions both in written form and updating them.
Supervision Control Plans - such as approving, monitoring, and observing the work of others.
Personnel Security Control Plans - such as rotation of duties, forced vacations, and even bonding.
Personnel Termination Control Plans - such as procedures when an employee voluntarily or involuntarily leaves an organization.
Restrict Access to Computing Resources Using: - Control plans that restrict physical access to computer facilities
- Control plans that restrict logical access to stored programs, data, and documentation
Controlling Information Systems: IT Processes:
In chapter 8 we look at Controls specifically designed for the Information Systems Function.COBIT
(What is this?) IT resources: Control Objectives for Information and Related Technology was developed to provide guidance on the best practices for the management of information technology.COBIT's definition of Control: The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Information Systems Function (ISF):
Define, what is this? It is the department or function that develops and operates an organization's information system. The function is composed of people, procedures, and equipment, and it is typically called the information services department, IT department, or data processing department.Types of Organizational structures for ISF:
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).
COBIT Control Process Domains:
Segregation of Duties:
Definition of Segregation of Duties: Dividing responsibilities for different portions of a transaction among several different people or departments.
Segregating Events Processing:
Segregation of duties consists of separating the four basic functions of event processing:
1. Authorizing events: approve phases of event processing
2. Executing events: physically move resources; complete source documents
3. Recording events: record events in books of original entry; post event summaries to the GL
4. Safeguarding resources: physically protect resources; maintain accountability of physical resources
Segregating Information Systems Functions:
-The ISF function normally acts in a service capacity for other operating units. Therefore, it should be limited to carrying out function 3 (recording events and posting event summaries).
-Within the ISF, we segregate duties to control unauthorized use of and changes to the computer and its data:
Data librarian – grants access to stored data and programs to authorized personnel only
Security officer – assigns passwords, monitors employees’ network access, grants security clearance, etc.
Additional information on Security Officer- is responsible for the overall operation of the various security systems and the security software in general.
IT steering committee – coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan
Others Examples of Segregation of Duties:
Control Clerk- "Gate Keeper"- Back a long time ago of complete batch processing, control clerks logged or scheduled input and output and maintained error and correction logs. They also controlled flow of bactches through data entry and editing, monitored processing, and controlled distribution of reports and other output. In many large companies this segregation is obsolete due to the advancement of technology and use of automation.
Computer Operator- are responsible for scheduling processing jobs, running or monitoring, scheduled production jobs.
System Programmer- responsible for installing, supporting, monitoring, and maintaining the operating system (and often the related hardware if that function is not performed by a separate hardware technician).
Personnel control Plans:
Restrict Access to Computing Resources Using:
- Control plans that restrict physical access to computer facilities
- Control plans that restrict logical access to stored programs, data, and documentation